Universally Composable Privacy Amplification 
Against Quantum Adversaries* 



Renato Renner Robert Konig 

Computer Science Department 
ETH Zurich; Switzerland 
rennerOinf . ethz . ch rkoenig@inf . ethz . ch 



Abstract 

Privacy amplification is the art of shrinking a partially secret string Z to a highly 
secret key S. We show that, even if an adversary holds quantum information about the 
initial string Z, the key S obtained by two-universal hashing is secure, according to a 
universally composable security definition. Additionally, we give an asymptotically optimal 
lower bound on the length of the extractable key S in terms of the adversary's (quantum) 
knowledge about Z . Our result has applications in quantum cryptography. In particular, 
it implies that many of the known quantum key distribution protocols are universally 
composable. 

1 Introduction 

1.1 Privacy amplification 

Consider two parties having access to a common string Z about which an adversary might 
have some partial information. Privacy amplification, introduced by Bennett, Brassard, and 
Robert PP, is the art of transforming this partially secure string Z into a highly secret key S 
by public discussion. A good technique is to compute S as the output of a publicly chosen 
two-universal hash function 1 F applied to Z. Indeed, it has been shown ^ [21 E] that, if the 
adversary holds purely classical information W about Z, this method yields a secure key S 
and, additionally, is asymptotically optimal with respect to the length of S. For instance, if 
both the initial string Z and the adversary's knowledge W consist of many independent and 
identically distributed parts, the number of extractable key bits roughly equals the conditional 
Shannon entropy H{Z\W). 

The analysis of privacy amplification can be extended to a situation where the adversary 
might hold quantum instead of only classical information about Z. It has been shown jl| that 
two-universal hashing allows for the extraction of a secure key S whose length roughly equals the 

"This work was partially supported by the Swiss National Science Foundation, project No. 20-66716.01. 
1 See Section f2.1l for a definition of two- universal functions. 
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difference between the entropy of Z and the number of qubits stored by the adversary. This 
can be applied to proving the security of quantum key distribution (QKD) protocols where 
privacy amplification is used for the classical post-processing of the (only partially secure) raw 
key [3]. 

1.2 Universal composability 

Cryptographic protocols (e.g., for generating a secret key) are often used as components within 
a larger system (where, e.g., the secret key is used to encrypt messages). It is thus natural to 
require that the security of a protocol is not compromised when it is, e.g., invoked as a sub- 
protocol in any (arbitrarily complex) scheme. This requirement is captured by the notion of 
universal composability. Roughly speaking, a cryptographic protocol is said to be universally 
composable if it is secure in any arbitrary context. For instance, the universal composability 
of a secret key S guarantees that any bit of S remains secret even if some other part of S is 
given to an adversary. 2 

In the past few years, composable security has attracted a lot of interest and lead to 
important new definitions and proofs (see, e.g., the framework of Canetti [0] or Pfitzmann 
and Waidner ). Recently, Ben-Or and Mayers have generalized the notion of universal 
composability to the quantum case jSj. Universally composable security definitions are usually 
based on the idea of characterizing the security of a cryptographic scheme by its distance to an 
ideal system which (by definition) is perfectly secure. For instance, a secret key S is universally 
composable if it is close to an independent and almost uniformly distributed string U. This 
then implies that any cryptosystem which is proven secure when using a perfect key U remains 
secure when U is replaced by the (real) key S. 

Ben-Or, Horodecki, Leung, Mayers, and Oppenheim |Hj were the first to address the problem 
of universal composability in the context of QKD. Usually, the security of a QKD scheme is 
defined by the requirement that the mutual information between the final key S and the 
outcome of an arbitrary measurement of the adversary's quantum system be small (for a formal 
definition, see, e.g., ^Uj or jllj^. This, however, does not necessarily imply composability. 
Indeed, an adversary might wait with the measurement of his quantum state until he learns 
some of the bits of S, which might allow him to obtain more information about the remaining 
bits. 

1.3 Contributions 

We analyze the security of privacy amplification in a setting where an adversary holds quantum 
information. We show that the key obtained by two-universal hashing is secure according to a 
very strong security definition which, in any context, guarantees virtually the same security as 
a perfect key. The security definition we use is essentially equivalent to the definition used in [2] 
for analyzing the composability of QKD, and thus also provides universal composability with 
respect to the framework of 8 (cf. Section^. This extends the result of [3] where a weaker 
(not necessarily composable) security definition has been used. Moreover, our results have 

2 Note that this is not necessarily the case for many known security definitions of a secret key. 
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implications for quantum cryptography. In particular, it follows from the analysis in [S] (which 
is based on the security of privacy amplification) that many of the known QKD protocols (such 
as BB84 |12| or B92 ^3]) are universally composable (cf. Section f4. 41 for more details). 

Additionally, we improve the lower bound on the length of the extractable key S given 
in 4 . If the initial information Z as well as the adversary's (quantum) knowledge consist of n 
independent pieces, our bound is asymptotically tight, for n approaching infinity. In particular, 
we obtain an explicit expression (in terms of von Neumann entropy) for the rate at which secret 
key bits can be generated, thus generalizing a result which has only been known for the case 
of purely classical adversaries (cf . Section I4.3JI . 

2 Preliminaries 

2.1 Random functions and two-universal functions 

A random function from X to y is a random variable taking values from the set of functions 
with domain X and range y. A random function F from X to y is called two-universal if 

Pr[F(x) = F(x')} < , 

for any distinct x, x' E X? In particular, F is two-universal if, for any distinct x, x' E X, the 
random variables F{x) and F(x') are independent and uniformly distributed. For instance, the 
random function chosen uniformly from the set of all functions from X to y is two-universal. 
Non-trivial examples of two-universal functions can, e.g., be found in ^1] and |15j . 

2.2 Density operators and random states 

Let TL be a Hilbert space. We denote by S{TL) the set of density operators on H, i.e., S(TL) is 
the set of positive operators p on TL with tr(p) = 1. A density operator p E S(TL) is called pure 
if it has rank 1, i.e., p = \4>){4>\ for some \4>) €TL. 

Let (fl,P) be a discrete probability space. A random state p on TL is a random variable 
with range S(TC), i.e., a function from 0, to S(TL). Let p and p' be two random states on TL 
and TL', respectively. The tensor product p <g> p' of p and p' is the random state on TL £3 TL' 
defined by 

{p®p'){uj) := p(u)®p'(u) , 

for any we!!. 

To describe settings involving both classical and quantum information, it is often convenient 
to represent classical information as a state of a quantum system. Let X be a random variable 
with range X and let TL be a \X\ -dimensional Hilbert space with orthonormal basis {|x)} a;g ^'. 
The random state representation of X, denoted {X}, is the random state on TL defined by 
{X} := \X)(X\, i.e., for any u E O, 

= \x(u))(x( u )\ . 

3 In the literature, two-universality is usually defined for families T of functions: A family T is called two- 
universal if the random function F with uniform distribution over T is two-universal. 
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Let p be a random state. For an observer which is ignorant of the randomness of p, the density- 
operator of the quantum system described by p is given by 

[ P ] : =£>] = x;phph. 

More generally, for any event £ , the density operator of p conditioned on £, denoted [p\£], is 
defined by 

[p\£] :=E p [p\£} = pi|E^)pM- 

Let p <S> {X} be a random state consisting of a classical part {X} specified by a random 
variable X. It is easy to see that the corresponding density operator [p <g) {X}] is given by 

[p®{X}]=E x [p x ®\X)(X\] (1) 

where p x := [p\X = x]. In particular, if X is independent of p, then 

[p0{X}] = [p]^[{X}] . (2) 

2.3 Distance measures and non-uniformity 

The variational distance between two probability distributions P and Q over the same range 
X is defined as 

«{P,Q) -=l^\P{x)-Q{x)\ . 

xex 

The variational distance between two probability distributions P and Q can be interpreted as 
the probability that two random experiments described by P and Q, respectively, are different. 
This is formalized by the following lemma. 

Lemma 2.1. Let P and Q be two probability distributions. Then there exists a pair of random 
variables X and X' with joint probability distribution Pxx' such that Px = P, Px 1 = Q, and 

Pr[X^X']=5(P,Q) . 

The trace distance between two density operators p and a on the same Hilbert space TL is 
defined as 

S{p,<r) ■= -tr(|p-o-|) . 

The trace distance is a metric on the set of density operators S(7i). We say that p is e-close 
to a if 5(p, a) < e, and denote by B £ (p) the set of density operators which are e-close to p, i.e., 
B e (p) = {<7€S{H):6(p,a)<e}. 

The trace distance is subadditive with respect to the tensor product, i.e., for any p, a £ S(7i) 
and p',a' € S(W), 

5{p ®p',a® a') < S(p, a) + 5(p, a') , (3) 



4 



with equality if pi = a' , i.e., 

8(p® p',<T® p') = 5{p,a) . (4) 

Moreover, it cannot increase when the same quantum operation £ is applied to both arguments, 
i.e., 

5(£(p),£(a))<5(p,a) . (5) 

Similarly, the trace distance between p and a is an upper bound for the variational distance 
between the probability distributions P and Q of the outcomes when applying the same mea- 
surement to p and a, respectively, i.e., 

S(P,Q) <S(p,a) . (6) 

The variational distance can be seen as a (classical) special case of the trace distance. Let X 
and Y be random variables. Then the variational distance between the probability distributions 
of X and Y equals the trace distance between the corresponding density matrices [{^l}] and 
[{Y}],i.e., 

S(P x ,Py) = S([{X}),[{Y}}) . 

The trace distance between two density operators containing a representation of the same 
classical random variable X can be written as the expectation of the trace distance between 
the density operators conditioned on X. 

Lemma 2.2. Let X be a random variable and let p and a be random states. Then 

5{[p ® {X}}, [a ® {X}]) = E x [5(p x ,a x )} 
where p x := [p\X = x] and a x := [cr\X = x]). 

Proof. Using Q and the orthogonality of the vectors \x), we obtain 

5(\p®{X}],[*®{X}]) = hr\E x [( Px -a x )®\X)(X\] \ = hr(E x [\(p x - a x ) ® \X)(X\\ 

The assertion then follows from the linearity of the trace and the fact that tr| (p x — cr x )(^ \x)(x\ | = 
tx\p x - a x \. □ 

In Section |21 we will see that a natural measure for characterizing the secrecy of a key is 
its trace distance to a uniform distribution. 

Definition 2.3. Let X be a random variable with range X and let p be a random state. The 
non-uniformity of X given p is defined by 

d(X\p) >=5([{X}®p],[{U}}®\p]) 

where U is a random variable uniformly distributed on X. 

Note that d(X\p) = if and only if X is uniformly distributed and independent of p. 
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2.4 (Smooth) Renyi entropy 

Let p G S(7i) be a density operator and let a G [0, oo]. The Renyi entropy of order a of p is 
defined by 

: =73^Mtr(p a )) 

with the convention S^p) := linage, Sp(p) for a G {0,1, oo}. In particular, for a = 0, 
SoO) = log 2 (rank(p)) and, for a = oo, S^p) = - log 2 (A max (p)) where A max (p) denotes the 
maximum eigenvalue of p. For a = 1, S a (p) is equal to the von Neumann entropy S(p). 
Moreover, for a, (3 G [0, oo], 

«</? S a (p)>Sp{p) . (7) 

Note that, for a classical random variable X, the Renyi entropy ^([{AT}]) of the quantum 
representation of X corresponds to the Renyi entropy H a (X) of X as defined in classical 
information theory |16j . 

The definition of Renyi entropy for density operators can be generalized to the notion of 
smooth Renyi entropy, which has been introduced in for the case of classical probability 
distributions. 

Definition 2.4. Let p G S(7i), let a G [0, oo], and let e > 0. The e-smooth Renyi entropy of 
order a of p is defined by 

S £ a (p):=^— log a f inf tr(0 

with the convention S%{p) := linig^ Q S%(p), for a = or a = oo, and Sf(p) := #(p). 

The smooth Renyi entropy of order a can easily be expressed in terms of conventional Renyi 
entropy. In particular, for a = 0, 

S £ (p)= inf So(a) (8) 

<TgB £ (p) 

and, for a = oo, 

SZo(p) = sup Soo(o-) . (9) 

<reB £ (p) 

The following lemma is a direct generalization of the corresponding classical statement 
in saying that, for any order a, the smooth Renyi entropy H^(W) of a random variable 
W consisting of many independent and identically distributed pieces asymptotically equals its 
Shannon entropy H(W). 

Lemma 2.5. Let p be a density operator. Then, for any a G [0, oo], 

Jim Mm a{P ' = S(p) . 

E-t0 n-too n 
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3 Secret keys and composability 



The main idea for obtaining universally composable security definitions is to compare the 
behavior of a real cryptographic protocol with an ideal functionality. For a protocol which is 
supposed to generate a secret key 5, this ideal functionality is simply a source which outputs an 
independent and uniformly distributed random variable U (in particular, U is fully independent 
of the adversary's information). This motivates the following definition. 

Definition 3.1. Let S be a random variable, let p be a random state, and let e > 0. S is said 
to be an e-secure secret key with respect to p if 

d(S\p) < e . 

Consider a situation where S is used as a secret key and where the adversary's information 
is given by a random state p. The e-security of S with respect to p guarantees that this 
situation (which is described by the density operator [p® {S}]) is e-close — with respect to the 
trace distance — to an ideal setting (described by [p (g) {f7}]) where S is replaced by a perfect 
key U which is uniformly distributed and independent of p. Since the trace distance does 
not increase when appending an additional quantum system (cf. 1(1))) or when applying any 
arbitrary quantum operation (cf. ©), this also holds for any further evolution of the system. 
In particular, it follows from © and Lemma 12.11 that the real and the ideal setting can be 
considered to be identical with probability at least 1 — e. 

Definition 13.11 is essentially equivalent to an intermediate definition which has been used 
in [3] to prove the universal composability of QKD. More precisely, if S is e-secure according to 
Definition 13. 11 it satisfies the security definition of [0] for some e' depending on e. 4 It is thus an 
immediate consequence of the results in [H] that Definition 13 . II provides universal composability 
in the framework of |Hj. 

Note that Definition 13.11 can also be seen as a natural generalization of classical security 
definitions based on the variational distance (which is the classical analogue of the trace dis- 
tance). Indeed, if the adversary's knowledge is purely classical, Definition 13.11 is equivalent to 
the security definition as it is, e.g., used in ^5] or [I]. 

4 Main result 

4.1 Theorem and proof 

Theorem 4.1. Let Z be a random variable with range Z, let p be a random state, and let F be 
a two-universal function on Z with range S = {0, 1} S which is independent of Z and p. Then 

d{F{Z)\{F} ® p) < ±-2-^ s ^ z ^pV- So ^- s ^ . 

4 In [5], a key S about which an adversary has information p B is defined to be secure (with parameter e') if the 
Shannon distinguishability SD between pi := J2s Ps{s)\s)(s\ ®p s and po := J2 a Jgjl s )( s l ®p'> f° r P : ~ S s T^T /3s ' 
is small, i.e., e' = SD(pi,po)- The relation between e and e' thus follows from the relation between the trace 
distance and the Shannon distance (see, e.g., 
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The following corollary is a consequence of property (JJJ), expressions (jSJ) and ©, and the 
triangle inequality for the trace distance. 

Corollary 4.2. Let Z be a random variable with range Z , let p be a random state, let F be a 
two-universal function on Z with range S = {0, 1} S which is independent of Z and p, and let 
e > 0. Then 

d(F(Z)\{F} <g> p) < U-U^m^-Sfm)^) + 2e . 

Let us first state some technical lemmas to be used for the proof of Theorem 14.11 

Lemma 4.3. Let Z be a random variable with range Z, let p be a random state, and let F be 
a random function with domain Z which is independent of Z and p. Then 

d(F{Z)\{F}®p) = E F [d{F(Z)\p)}. 

Proof. Let U be a random variable uniformly distributed on Z and independent of F and p. 
Then 

d(F(Z)\p ® {F}) = 5 ([({F(Z)} {F}], [({[/} ®p)® {F}}) , 

Now, applying Lemma 12.21 to the random states {F(Z)} (8) p and {^7} ® p gives the desired 
result, since 

[{F(Z)}®p\F = f] = [{f(Z)}®p} 
{{U}®p\F = f] = [{U}]®[p] 

which holds because F is independent of Z, p, and U. □ 

The following lemmas can most easily be formalized in terms of the square of the Hilbert- 
Schmidt distance. For two density operators p and a, let 

A(p,a) :=tr((p-<7) 2 ) . 
Moreover, for a random variable X with range X and a random state p, we define 

D(X\p) := A([{X}®p], [{[/}] ®[p]) 
where £/ is a random variable uniformly distributed on X. 
Lemma 4.4. Let p and a be two density operators on H. Then 

1 



S(p,cr) < -y/r&nk(p - a) -A(p,a) . 

Proof. The assertion follows directly from Lemma lA.21 and the definition of the distance mea- 
sures 5(-, •) and A(-, •). □ 

Lemma 4.5. Let X be a random variable with range X and let p be a random state. Then 

d(X\p) < ^2^^\XlD{X\p). 
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Proof. This is an immediate consequence of the definitions and Lemma 14.41 □ 
Lemma 4.6. Let X be a random variable with range X and let p be a random state. Then 



D(X\p) = tr [CE Px(xfpl) - ±-[pA 

\ xdX ' ! / 



where p x := [p\X = x] for x £ X . 
Proof. From (|T|). we have 

\ \xex ' ' xax J 

= tv(^(Px(x) Px - ] ^[p]) 2 ) 

\x£X 1 1 / 

= tr f Px{x?pl " £ Px(*)Px + T^lP?) ■ 

\xTx \ x \ xTx \*\ J 

Inserting the identity 

[p] = ^Px(x)Px 

xex 

concludes the proof. □ 

Lemma 4.7. Let Z be a random variable with range Z, let p be a random state, and let F be 
a two-universal function on Z chosen independently of Z and p. Then 

E F [D(F{Z)\p)\ < 2 - 5 2([m®PD . 

Proof. Let us define p z := [p\Z = z] for every z G Z and let S be the range of F. With 
Lemma 14.61 we obtain 



E F [D(F(Z)\p)]=tv E F 



^Pr[F(Z) = S ] 2 [p|F(Z) = S ] 
.ses 



r^tr([p] 2 ) , (10) 



using the linearity of the expectation value and the trace. Note that 

Pr[/(Z) = a] ■ [p\f(Z) =s]= Yl P ^ Z )P* ■ 

Using this identity and rearranging the summation order, we get 

^Pr[/(Z) = S ] 2 [p|/(Z) = S ] 2 = £ P z (z)P z (z')p z p z ,6 f{z)J(z , ) , 
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where 5 x ^ y is the Kronecker delta which equals 1 if x = y and otherwise. Taking the expec- 
tation value over the random choice of F then gives 



Y,^[F(Z) = s] 2 [p\F(Z) = s] 

.ses 



£ P z (z)P z (z')p z p z ,Fr[F(z) = F(z')] 



z.z'ez 



Similarly, we obtain 

[p] 2 = Pz(z)Pz{z') PzPz , . 

z,z'ez 

Inserting this into (|1U|) . we get 

E F [D(F(Z)\p)] = Pz{z)Pz{z') (vr[F{z) = F{z')\ - ±^ tr(p gPg ,) . 

As we assumed that F is two-universal, all summands with z ^ z' are not larger than zero and 
we are left with 

E F [D{F{Z)\p)\ < £ Pz(z)Mpl) = tv([{Z} ® P } 2 ) 

zez 

from which the assertion follows by the definition of the Renyi entropy S2 ■ □ 
Proof of Theorem \4.1\ Using Lemma 14.31 Lemma l4.5| we get 
d(F{Z)\{F}®p)=E F [d[F{Z)\p)} 

1 s+S ([p)) , 

< -2-^E F yD(F{Z)\p)} 

1 s + S ([p]) 



<-2-^—y/E F [D{F(Z)\p)\ . 

where the last inequality follows from Jensen's inequality and the convexity of the square root. 
Applying Lemma 14.71 concludes the proof. □ 

4.2 Privacy amplification against quantum adversaries 

We now apply the results of the previous section to show that privacy amplification by two- 
universal hashing is secure (with respect to the universally composable security definition of 
Section |3J) against an adversary holding quantum information. Consider two distant parties 
which are connected by an authentic, but otherwise fully insecure classical communication 
channel. Additionally, they have access to a common random string Z about which an ad- 
versary has some partial information represented by the state p of a quantum system. The 
two legitimate parties can apply the following privacy amplification protocol to obtain a secure 
key S: One of the parties chooses an instance of a two-universal function F and announces his 
choice to the other party using the public communication channel. Then, both parties compute 
S = F(Z). Since the information of the adversary after the execution of the protocol is given 
by p®{F}, one wants the final key S to be e-secure with respect to p(g){F} (cf. Definition l3.1|) . 



10 



for some small e > 0. It is an immediate consequence of Corollary 14.21 that this is achieved if 
the key S has length at most 

a = SU[{Z} ® pD - Sf([p]) - 21og 2 (^) , (11) 

for e = e/4. 

4.3 Asymptotic optimality 

We now show that the bound (|11|1 is asymptotically optimal, i.e., that the right hand side of (|11|) 
is (in an asymptotic sense) also an upper bound for the number of key bits that can be extracted 
by any protocol. Consider a setting where both the initial information as well as the ad- 
versary's state p^ consist of many independent pieces: For n G N, let = (Z 1 ,...,Z n ) and 
p(«) =p 1 ®"'®p n where (Zj, pj) are independent pairs with identical probability distribution 
P(Zi,p ) = P{z,p)- Let s(n) be the length of the key S that can be extracted from Z^ n > by an 
optimal privacy amplification protocol. Using Lemma 12.51 we conclude from pip that 

s{n)>H{Z^\p^)+o{n) (12) 

where, for any Z and p, H{Z\p) is defined by 

H{Z\p) :=S(l{Z}®p])-S([p]) . 

Let now S := F(Z^) be a key of length s(n) computed by applying any random function F 
to ZH It is a direct consequence of Definition 13.11 that the key S can only be e-secure with 
respect to p^ (g) {F} (for e approaching as n goes to infinity) if 

s(n) < H(F(zV))\pto (8) {F}) + o(n) . (13) 

Note that the quantity H(Z\p) can only decrease when applying any function / to its first 
argument, i.e., for any random function F chosen independently of Z^ and p, 

H(F(zW)\pW ® {F}) < H(ZW\ P W ® {F}) = H(ZW\ P M) . (14) 

Thus, combining p2p . p3p. and p4p . we obtain an expression for the maximum number s(n) 
of extr actable key bits, 

s(n) =H(zW\pW) + o{n) . 

In particular, the maximum rate R := linij^oo at which secret key bits can be generated, 
from independent realizations of Z about which the adversary has information given by p, is 

R = S([{Z} ® p]) - S([p]) = H(Z\p) . (15) 

This fact is already known for the special case where the adversary's information is purely 
classical. Indeed, if the adversary's knowledge about each realization of Z is given by a real- 
ization of a random variable W, expression p5p reduces to the well-known classical result 

R = H(ZW) - H(W) = H{Z\W) 

(see, e.g., pT7] or |ST]). 
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4.4 Applications to QKD 



Theorem 14.11 has interesting implications for quantum key distribution (QKD). Recently, a 
generic protocol for QKD has been presented and proven secure against general attacks 5 . 
Moreover, it has been shown that many of the known protocols, such as BB84 or B92, are special 
instances of this generic protocol, i.e., their security directly follows from the security of the 
generic QKD protocol. Since the result in [2] is based on the security of privacy amplification, 
the strong type of security implied by Theorem 14.11 immediately carries over to this generic 
QKD protocol. In particular, the secret keys generated by the BB84 and the B92 protocol 
satisfy Definition 13 . 1 1 and thus provide universal composability. 

5 Acknowledgment 

The authors thank Ueli Maurer for many inspiring discussions, and Dominic Mayers for useful 
comments. 

A Some identities 

Lemma A.l (Schur's inequality). Let A be a linear operator on a d- dimensional Hilbert 
space TL and let Ai, . . . , A^ be its eigenvalues. Then 



Proof. Let Ai, . . . , A r be the r nonzero eigenvalues of A. Since the square root is concave, we 
can apply Jensen's inequality leading to 



d 



^|A,| 2 <tr(^t) , 



with equality if and only if A is normal (i.e., AA^ = A^A). 
Proof. See, e.g., j22j . 



□ 



Lemma A. 2. Let A be a normal operator with rank r. Then 




r r r 




The assertion then follows from Schur's inequality. 



□ 
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